Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 13 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
13
Dung lượng
301,67 KB
Nội dung
Online Cryptography Course Dan Boneh Stream ciphers PRG Security Defs Dan Boneh n Let G:K ⟶ {0,1} be a PRG Goal: define what it means that is “indisHnguishable” from Dan Boneh StaHsHcal Tests Sta$s$cal test on {0,1}n: an alg A s.t A(x) outputs “0” or “1” Examples: Dan Boneh StaHsHcal Tests More examples: Dan Boneh Advantage Let G:K ⟶{0,1}n be a PRG and A a stat test on {0,1}n Define: A silly example: A(x) = 0 ⇒ AdvPRG [A,G] = 0 Dan Boneh Suppose G:K ⟶{0,1}n saHsfies msb(G(k)) = 1 for 2/3 of keys in K Define stat test A(x) as: if [ msb(x)=1 ] output “1” else output “0” Then AdvPRG [A,G] = | Pr[ A(G(k))=1] -‐ Pr[ A(r)=1 ] | = | 2/3 – 1/2 | = 1/6 Dan Boneh Secure PRGs: crypto definiHon Def: We say that G:K ⟶{0,1}n is a secure PRG if Are there provably secure PRGs? but we have heurisHc candidates Dan Boneh Easy fact: a secure PRG is unpredictable We show: PRG predictable ⇒ PRG is insecure Suppose A is an efficient algorithm s.t for non-‐negligible ε (e.g ε = 1/1000) Dan Boneh Easy fact: a secure PRG is unpredictable Define staHsHcal test B as: Dan Boneh Thm (Yao’82): an unpredictable PRG is secure Let G:K ⟶{0,1}n be PRG “Thm”: if ∀ i ∈ {0, … , n-‐1} PRG G is unpredictable at pos i then G is a secure PRG If next-‐bit predictors cannot disHnguish G from random then no staHsHcal test can !! Dan Boneh Let G:K ⟶{0,1}n be a PRG such that from the last n/2 bits of G(k) it is easy to compute the first n/2 bits Is G predictable for some i ∈ {0, … , n-‐1} ? Yes No More Generally Let P1 and P2 be two distribuHons over {0,1}n Def: We say that P1 and P2 are computa$onally indis$nguishable (denoted ) R Example: a PRG is secure if { k ⟵K : G(k) } ≈p uniform({0,1}n) Dan Boneh End of Segment Dan Boneh